摘要:
In response to receiving a communication from a first process directed to a second process, a trusted entity determines if an object reference in the communication refers to an object owned by a first process which is being exported to a second process or if the communication refers to an object not owned by the first process which is being passed to the second process. The trusted entity generates a second object reference for use by the second process. Use of a naming convention identifies the reference as a reference to an object which is foreign to or owned by the processes.
摘要:
Reference counting is shared between an in-process service runtime and a machine-wide service. The service maintains a global reference count, a global export count, and an exports before revoke count. When the global reference count for a resource or object drops to zero, the machine-wide service deletes the table entry for the object or resource and sends an unref message including the value of the global export count to the sharing process. If the local export count is greater than the global export count of the unref, there are committed exports which have not yet been unreferenced. If both counts are the same, the committed exports have been accounted for and a revoke operation can be issued.
摘要:
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.
摘要:
An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.
摘要:
An operating system architecture is based on a service model in which active entities (services) are containers for objects having a number of interfaces specified through a contract language that is a subset of the language in which the service is coded. Services may reside in the same address space or may reside in separate address spaces, without changing the programming model or compiled binaries. The location of a service is independent of the location of the service's clients and of services the service calls.
摘要:
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.
摘要:
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.
摘要:
Object invocation may be carried out by one thread in a service which may include multiple executing threads. In a mechanism for implementing a cancellation operation in a cooperative system, a thread identifies an operation to be cancelled. A cancel function has an argument comprising the thread identifier in which the operation is to be cancelled. The cancel function is called by a client process thread to cancel a pending object invocation initiated by the client process. An immediate or hard cancel causes the targeted client and cancel thread to return immediately. A discretionary or soft cancel does not affect the targeted client thread. In either case the server process is notified via a maintenance notification. The target thread of the cancel cannot be reused for other work until the cancel request or notification has returned.
摘要:
Systems and methods for providing a framework within which device drivers may run at a user-mode level. A platform (e.g., APIC) or bus (PCI bus) generic feature is used to take the CPU out of interrupt mode without having to wait for a user-level driver to clear the device interrupt. This allows writing the complete device driver in user space. The device driver still get notifications on interrupts but not at interrupt priority. The same scheme can be extended to shared interrupts, where multiple devices share a single interrupt line.